From: gopher-bounce@complete.org
Date: Sun May 10 04:43:50 2009
Subject: [gopher] Re: Running buckd in a chroot jail?
OK, here's take two, using jailkit (http://olivier.sessink.nl/jailkit):
# added by Bucktooth install
service buckd
{
type = UNLISTED
protocol = tcp
port = 70
flags = REUSE
socket_type = stream
wait = no
instances = UNLIMITED
user = root
server = /usr/sbin/jk_chrootlaunch
server_args = -j /chroot/buckd -x /chroot/buckd/usr/local/bin/buckd --user gopher --group gopher
}
Does anybody see any glaring security issues with this? buckd does
indeed seem to be running under user "gopher" when port 70 is
accessed:
gopher 23883 0.0 0.8 82332 2340 ? Ss 02:40 0:00 /usr/bin/perl -s usr/local/bin/buckd
--Brian
On Sat, May 09, 2009 at 08:05:03PM -0500, Brian Koontz wrote:
> I've got buckd successfully running in a chroot jail. This is the
> relevant portion of my xinetd.conf file:
>
> # added by Bucktooth install
> service buckd
> {
> type = UNLISTED
> protocol = tcp
> port = 70
> flags = REUSE
> socket_type = stream
> wait = no
> instances = UNLIMITED
> user = root
> # server = /chroot/buckd/usr/local/bin/buckd
> server = /usr/sbin/chroot
> server_args = /chroot/buckd/ /usr/local/bin/buckd
>
> }
>
> The obvious problem here is that buckd is running as root (because
> chroot must be invoked as root). From what I understand, it's still
> possible to break out of a chroot jail as root. Is there a way for me
> to set this up so buckd runs under a non-root user?
>
> --Brian
>
Thread start
(DIR) [gopher] Running buckd in a chroot jail?
Thread start
(DIR) [gopher] Running buckd in a chroot jail?
(DIR) Followup: [gopher] Re: Running buckd in a chroot jail?
(DIR) Followup: [gopher] Re: Running buckd in a chroot jail?